Network Infrastructure Security

Network Monitoring

Personal Computer Security

Communication Security

Ravin

Introduction to Ravin

Security incidents are inevitable in computer networks. It is no guaranty for comprehensive preventing of attacks in enterprise networks while using security products such as firewall, NIDS, HIDS and etc. detection and rapid reaction to security attacks, need to collect, analyze and monitor important events continuously to provide security situation awareness for an organization. Based on best efforts, suitable solution for surround on security situation of a computer network and detection and response to cyber-attacks is deployment of a Security Operation Center. SOC as a comprehensive and integrated solution, raises defense level of cyberspace security against attackers. PayamPardaz Corporation has a successful experience in design and development of network security products such as Network intrusion detection system, UTM and VPN for two decades. PayamPardaz released RAVIN product as a powerful SIEM for deployment of a security operation center since 2012. SIEM (Security information and event management) is the technological heart of a SOC beside of processes and security analysts.

Properties and Features

Network Intrusion Detection System

Description

Features

Up to 10Gbe

Throughput

Up to 5 million concurrent sessions without packet loss

Concurrent sessions

Detects new and unknown attacks using anomaly detection methods based on learning

Behavioral anomaly detection

It has more than 18000 predefined attack signatures that can be updated continuously. This set contains different types of attacks such as scan, gain access, data manipulation, propagation, activity of malwares and denial of services.

comprehensive set of attack signatures

Web based graphical user interface

GUI

Network traffic analysis sensor

Description

Features

application-layer detecting of more than 170 protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http on ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

Auto detect application-layer protocols

defines charts of packet rate, flow rate and volume usage in various time periods for different application layer protocols and add them to dashboards.

Network traffic monitoring

Receives and processes netflow reports

Support netflow

analyzes the traffic flow information and extracts new attack evidences. It learn behavior of services and users and detect abnormal manners.

Signature based sensors problem is the lack of predefined signatures existance for detecting Zero-day attacks and malwares. Most of this attacks could cause effect on the network traffic flows.Analyzing these effects as the evidences of malicious activities, helps detecting zero-day attacks.

Detect Zero-day attacks

Log collector

Description

Features

Supports adding new organization’s applications to receive their logs.

Customizable for supporting various sensors.

To be able to process Up to 20 thousands event per second on one appliance and scalable for higher rates.

Throuput

Unlimited sensor numbers

Number of supported Sensors

it is possible to define arbitrary filters for eliminating unusable logs or preventing entrance of some logs according to organization security policies.

Event filters

For reducing required bandwidth for transmitting logs through network from log collector to log manager, the log is compressed by 10:1 rate.

Compression rate

The security of the data is fulfiled by providing confidentiality and integrity of connections between modules.

Secure transmit

useing a cache for retaining received logs temporarily to prevent data loss in network disconnection.

Reliable transmit

Log management and Archive

Description

Feature

Receive and store up to 50,000 EPS

Event Per Second

Depends on storage resource volume, retention of logs is possible for three, six and 12 months.

IDMEF and IODEF formats are used to exchange message of events and incidents between security operation center components.

Message Exchange Format

For analysts of security operations center, facilities has been provided for searching and real-time retrieval of archived data based on various parameters.

Realtime Data Retrieval

Supports the storing of data for long term archive on a external storage such as SAN and NAS.

External Storage

Correlation & Response Engine

Description

Feature

Upon completion of the attacks symptoms, the incident will be reported to stop the progress of the attack.

Realtime Analysis

Some attacks create the necessary conditions for achieving desired goal over long periods of time. For proactiving detection of their stages, different stages of the attack is related and as a result, the final goal of the attacker will be understood.

Multisage correlation

In order to complete symptoms of the reported incidents and reduce false positive alarms, logs of network services and devices is analyzed and correlated with alerts of security softwares and devices.

Cross-Device Correlation

Detect and eliminate false positive alerts if corresponding vulnerabilities is not exist in attack targets.

verification based on assets vulnerabilities

the correlation engine does not miss attacks while reduces very high percent of reported events.

Efficient correlation engine

Generalized correlation rules is selected and existed in the system. These predefined rules can be customized for organization situations. In addition, analysts of security operation center can inject special purpose correlation rules to the correlation engine.

Predefined and customizable correlation rules

Detect abnormal events by statistical analysis of log producted by profiles of assets.

behavioral abnormal analysis

Unlimited

The number of supported rules

Up to 5000 EPS for an appliance and more throughputs can also be achieved by replicating multiple of them.

Event per second throughput

At the end of event analysis, attack graph will be displayed for better visually understanding of incident.

Visual attack graph

uses central knowledge management engine to handle processes of creating and updating of knowledge and guarantees integrity of knowledge. knowledge base contains information about security policies and priorities of organization, vulnerabilities of assets and etc.

Integrated knowledge base

In addition to integrated ticketing system for task tracking, neccessary automatic instruments are implemented based on a standard incident handling process. This feature is not presented in common SIEM products.

Incident handling process

supports interaction with CERT, NOS and forensics teams

interaction with organization teams

For every detected incident, a useful guideline is proposed. This guideline describes how to response to incidents and also presents operational instructions for denying a malicious traffic or removing a malware and etc and the SOC analysts could modify response guidelines or add new special cases to them. This feature is not presented in common SIEM products.

incident handling guidelines

Correlation & Response Engine

Description

Feature

Upon completion of the attacks symptoms, the incident will be reported to stop the progress of the attack.

Realtime Analysis

Some attacks create the necessary conditions for achieving desired goal over long periods of time. For proactiving detection of their stages, different stages of the attack is related and as a result, the final goal of the attacker will be understood.

Multisage correlation

In order to complete symptoms of the reported incidents and reduce false positive alarms, logs of network services and devices is analyzed and correlated with alerts of security softwares and devices.

Cross-Device Correlation

Detect and eliminate false positive alerts if corresponding vulnerabilities is not exist in attack targets.

verification based on assets vulnerabilities

the correlation engine does not miss attacks while reduces very high percent of reported events.

Efficient correlation engine

Generalized correlation rules is selected and existed in the system. These predefined rules can be customized for organization situations. In addition, analysts of security operation center can inject special purpose correlation rules to the correlation engine.

Predefined and customizable correlation rules

Detect abnormal events by statistical analysis of log producted by profiles of assets.

behavioral abnormal analysis

Unlimited

The number of supported rules

Up to 5000 EPS for an appliance and more throughputs can also be achieved by replicating multiple of them.

Event per second throughput

At the end of event analysis, attack graph will be displayed for better visually understanding of incident.

Visual attack graph

uses central knowledge management engine to handle processes of creating and updating of knowledge and guarantees integrity of knowledge. knowledge base contains information about security policies and priorities of organization, vulnerabilities of assets and etc.

Integrated knowledge base

In addition to integrated ticketing system for task tracking, neccessary automatic instruments are implemented based on a standard incident handling process. This feature is not presented in common SIEM products.

Incident handling process

supports interaction with CERT, NOS and forensics teams

interaction with organization teams

For every detected incident, a useful guideline is proposed. This guideline describes how to response to incidents and also presents operational instructions for denying a malicious traffic or removing a malware and etc and the SOC analysts could modify response guidelines or add new special cases to them. This feature is not presented in common SIEM products.

incident handling guidelines

GUI

Description

Feature

Every users can define customized dashboards designed by arbitrary charts of various security events and reports.

Security dashboards

Web-based graphical user interface features is provided to manage, configure, search and follow-up process for identifing, analying and handling the incidents.

GUI

GUI shows activity status of the registered sensors.

Sensor monitor

The system has many predefined useful reports. Each user can define arbitrary reports. The defined reports are generated at scheduled times in pdf, html and exel formats.

Various reports

Each user in SOC teams is possible to manage accessibility of various product components such as configuring, monitoring and incident handling.

User management

Once a task is assigned to a user, he will be notified via email.

Email Notification

The system contains asset discovery and vulnerability assessment tools, for discovering assets and theirs vulnerabilities automatically and adding assets information to knowledge base. In addition it can connect to an external asset discovery and vulnerability assessment tool if exists any in the organization.

Administrators could define arbitrary actions by create a manual script and use it for reponse to attacks.

Custom script

It support different devices and protocols to send commands:

Network devices operating systems

Unified threat managemtn systems

Network layer and application firewalls

SFTP

Printers

Alarm notification systems

Operating systems windows, linux, ..

SSH, Telnet

Supported Devices

Support Services

Description

Feature

support (24*7) relevant to SLA

support 24*7

Ticketing system for following-up customers requests.

Ticketing system

User guide for the system outputs such as detailed information of attacks and security incidents is given to people working in Security Operations Center enabling to effectively analysis events.

User manual

Training for personnel of security operations center will be achieved. Therefore, The trained staff can work with the system autonomously.

Training

Updating the knowledge of detecting attacks is fully supported. In addition, special-purpose correlation rules to suit the requirements and policies of the organization in accordance relevant to SLA is also supported.

Support of knowledge

Models and Components

In order to cover the needs of different customers and the enabling them to use different network structures, the product has been designed in a three-component model. These three components are log collector(LC), log management(LM) and correlation & response engine(CRE). In addition, two network monitoring sensors include network intrusion detection system(NIDS) and network traffic analysis(NTA) can be used for powerfull incident detection. This figure shows how the components of the product have been combined.

Various features of each component model are described in the following tables. LCS, is a software version of log collector that has been installed on operating system of a desktop or a server for collecting and transmitting logs to log management system. At various points in the network, for one or more network equipment closed together, a log collector (LC) appliance has been used. The task of this agent is transferring logs of equipment under its control to LM. Logs received by CRE are analyzed and the results are stored in the system archive. The staff of security operation centers can monitor the results as detected incidents.

In addition to the models mentioned above, SOC in a Box is an appliance in which all of these components is existed. This can be used in small and middle size networks that are locally spread and non-distributed. The following table shows the features and models for SOC in a Box system.

Deployment scheduling

The following list describes the steps to deploy the Security Operations Center in a middle sized network.